recipe #116, Source Code Managers: Checking authenticity of files in the download area

To check the authenticity of a file, one of the best tools currently available is GPG. We will not describe here what is GnuPG and how it works: if you are looking for that information, check the GnuPG documentation.

You can use GnuPG to check the authenticity of a file only if this file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The signature is usually named after the file with a .sig. For instance, at http://download.gna.org/pdbv/pdbv.perl.pkg/2.0.9/ , you can download pdbv-2.0.9.tar.gz (the file) and pdbv-2.0.9.tar.gz.sig (the signature).

Use GnuPG to compare the files:

If it says that the relevant public key is not found, you must import the public keyring of the project to which the file belongs.
On the project main project page through Savane, http://gna.org/projects/pdbv , there's a pointer to the GPG Keyring of the project. Get there and you'll find available for download and import the keyring. Once the keyring imported, redo the same command as before.

If it says the signature is correct, the authenticity of the file is confirmed. Indeed, the signature should belong to a member of the project.

Note that automated checks are performed. Normally, questionable files (files for which verification failed) should have been moved into subdirectories called maybe-corrupted.

(As there is at least one of the Audience/Feature/Action context information not set, this recipe will not show up in related recipes links)

Show feedback again

Copyright (C) 2004-2006, the Gna! people. Posted items are owned by whoever posted them.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.